Geslar
Passphrase vs Password
Why "meadow-cloud-chocolate-chestnut" is stronger than "M@rk0_2024!" — and how Geslar generates passphrases from 4 Croatian dictionaries.
Numbers that should worry you
8 characters
Average password length users choose on their own
< 1 hour
Time to crack an 8-character password with a GPU (Hashcat)
72+ bits
Entropy of a Geslar passphrase with 4 Croatian words
300+ years
Estimated time to crack a Geslar passphrase by brute force
Password vs Passphrase — comparison
Typical "strong" password
M@rk0_2024!
- 11 characters — looks complex
- ~35 bits of entropy (predictable pattern)
- Name + substitutions + year = easy to guess
- Hard to remember, easy to crack
- Brute force: less than a minute
Geslar passphrase
livada-oblak-čokolada-kesten
- 28 characters — 2.5 times longer
- ~72 bits of entropy (cryptographically random)
- 4 random words from a Croatian dictionary
- Easy to remember, nearly impossible to crack
- Brute force: 300+ years
What exactly is a passphrase?
A passphrase is a password made up of randomly selected words instead of random characters. The concept was popularized by XKCD comic #936, which showed that "correct horse battery staple" is more secure and easier to remember than "Tr0ub4dor&3".
The key difference: humans are bad at choosing "random" characters — they use names, dates, substitutions (@ instead of a, 0 instead of o). Attackers know this and have dictionaries of these patterns. A passphrase eliminates human bias by using a cryptographically secure generator.
The key difference: humans are bad at choosing "random" characters — they use names, dates, substitutions (@ instead of a, 0 instead of o). Attackers know this and have dictionaries of these patterns. A passphrase eliminates human bias by using a cryptographically secure generator.
The mathematics behind security
Entropy measures how unpredictable a password is. The more bits of entropy, the more secure the password.
Typical password: 25-40 bits
"Marko2024" looks unique to you, but for hashcat it's a name from the top 100 + a year. About 25-35 bits of entropy. Cracked in seconds.
Geslar passphrase: 72+ bits
4 words from a dictionary of ~4,000 words = log2(4000^4) = ~48 bits. With separator variations and capitalization, Geslar achieves 72+ bits. Practically unbreakable.
NIST recommendation: 64+ bits
The U.S. National Institute of Standards and Technology (NIST SP 800-63B) recommends a minimum of 64 bits of entropy for secure authentication systems. Geslar passphrases exceed this.
Formula: Entropy = log2(number_of_possibilities ^ number_of_elements). Each additional word exponentially increases the space of possible combinations — that's why a 4-word passphrase is more secure than a 12-character "random" password you came up with yourself.
Why Croatian words specifically?
Most password cracking tools (hashcat, john the ripper) use English dictionaries. Geslar uses 4 specially curated Croatian word collections:
Standard dictionary
Most commonly used Croatian words — understandable, memorable, and diverse enough for strong entropy.
Kajkavian dialect
Words from the Kajkavian dialect — "hiza", "kusin", "pajdas". They add diversity and make dictionary attacks harder.
Chakavian dialect
Chakavian words — "kantat", "ponistra", "skovaca". Virtually nonexistent in attacker dictionaries.
Metaphors and expressions
Creative expressions and metaphors — visually rich, easy to remember, and they make the passphrase even more unique.
Additional advantage: Diacritical characters (c, c, s, z, d) add complexity because most password cracking tools don't support them in their standard attack rules.
How to generate a passphrase with Geslar?
Three clicks — that's all you need:
1. Select "Phrase" mode
In the Geslar generator, switch to "Phrase" mode — the passphrase generator with Croatian dictionaries activates automatically.
2. Adjust settings
Choose the dictionary (standard, Kajkavian, Chakavian, or metaphors), number of words (3-6), and separator (hyphen, period, space).
3. Copy and use
Click generate — you get a passphrase with displayed entropy. Copy with one click and save it in Vault.
Conclusion
The password approach is outdated. The human brain can't come up with a password that a modern computer can't crack — but it can remember 4 random words.
A passphrase is longer, more secure, and easier to remember than any traditional password. With Geslar, you get a passphrase in Croatian, from dictionaries unavailable to attackers, with cryptographically secure entropy.
A passphrase is longer, more secure, and easier to remember than any traditional password. With Geslar, you get a passphrase in Croatian, from dictionaries unavailable to attackers, with cryptographically secure entropy.
Generate your first passphrase — for free, right now.